Editors

Get Updates via E-mail

Disclaimer

The content of this blog is intended for informational purposes only. It is not intended to solicit business or to provide legal advice. Laws differ by jurisdiction, and the information on this blog may not apply to every reader. You should not take, or refrain from taking, any legal action based upon the information contained on this blog without first seeking professional counsel. Your use of the blog does not create an attorney-client relationship between you and Arnold & Porter LLP. Click here to view additional disclaimer language.

February 05, 2013

Mobile Apps: Lax Privacy Practices Are a Legal Hazard

In issuing a new report issued on
February 1, 2013, “Mobile Privacy Disclosures: Building Trust Through
Transparency,” the staff of the Federal Trade Commission (FTC) has made clear
that the Commission will not tolerate inadequate disclosures of how mobile
applications collect, share and use personal information. Indeed, on the same day the new report was
released, the Commission announced that it had obtained a settlement agreement
with a social networking app developer, Path Inc, regarding the FTC’s charges
that Path collected personal information from children under 13 and imported
personal data from the address books without their consent or knowledge. The concurrence of that settlement and the
issuance of the new report should send a strong message to those who are
involved in facilitating consumers’ use of mobile apps that they face
considerable enforcement exposure for any failures to provide clear and
conspicuous disclosures of the apps’ data collection and protection practices.

The report builds on the FTC’s previous work on privacy
issues, including the FTC’s March 2012 privacy report; the
FTC’s February 2012
report and December
2012 follow-up report regarding mobile apps for children; and the FTC’s May 2012 workshop
regarding mobile privacy. It also takes
into account and favorably endorses the California Attorney General’s January
2013 recommendations regarding “Privacy
on the Go” for app developers, platform providers, ad networks, mobile
carriers, and operating system developers.
(For previous posts regarding privacy issues in this blog, see here).

The new report provides guidance to various participants in
the mobile device ecosystem, including platform providers (e.g., Apple, Google, Amazon, Blackberry, and Microsoft), app
developers, trade associations representing the developers, and third parties
such as ad networks and analytics companies.

For platform providers,
the FTC staff recommends the following actions:

developing a “do-not-track” mechanism for mobile
devices, similar in function to do-not-track controls already implemented in
the leading internet browsers;

providing “just-in-time” disclosures when apps
attempt to collect sensitive data, to allow consumers to decide whether to
allow the collection;

developing a “privacy dashboard,” such as that
already used by some platforms, to assist consumers in determining and
reviewing which apps have access to which data;

using icons, as some platforms already do, to
signal to consumers when apps are accessing geolocation information;

increasing transparency of the app review
process, to allow consumers to better understand the extent platforms review
apps prior to making them available in app stores, as well as any later
compliance checks or reviews undertaken by platforms.

For app developers,
the new report recommends:

developing a privacy policy, and making it
easily available to consumers through the platform’s app store;

providing just-in-time disclosures and obtaining
affirmative express consent when collecting sensitive information, to the
extent the platform does not already do so;

improving coordination with ad networks and
other third-parties, to ensure that the app developers understand what
information the third party is collecting and how that information is being
used, so that the app developer can provide truthful disclosures to consumers.

With respect to developers’ trade associations, the report suggests they could help design
standardized icons and “badges” or other similar short, standardized
disclosures to depict app privacy practices.
Finally, for advertising networks
and other third parties, the report urges efforts to improve coordination
and communication with app developers regarding privacy protection and
assistance to platforms in developing and implementing an effective
do-not-track system for mobile apps.

The recommendations in the FTC staff report, while not
legally binding, merit very close attention by all four groups of players
mentioned in the report. The report
itself emphasizes the FTC’s past enforcement activities in the data privacy and
security arena, and the FTC’s suit against Path is confirmation that those
activities will be aggressive in the area of mobile apps. Platforms and developers, in particular, that
fail to attend to the report’s recommendations will invite unnecessary
liability exposure, which can be avoided by taking the report seriously and
being proactive in all areas reasonably applicable to their role in the mobile
app ecosystem.

UPDATE (2/12/2013): If you want a more in-depth article on this topic, click here.